It’s 10pm. Do you know where your data are?
Not to toot my own horn (but I’m going to anyway), way back when computers were in their infancy I designed some of the primary software tools that eventually became the staple solutions seen on every single computer in the world today. But that is a story for another day…
After years and years of seeing very personal information exposed (social security and credit card numbers) -- so blatantly and recklessly stored at a myriad of companies, I designed a highly sophisticated encryption system (used in the gambling world) to protect sensitive data.
In 1995 I created software for a multilevel marketing company in the Silicon Valley of northern California. It was a small company with a database of around 40,000 users. Along with the standard name and address info, there were 40,000 valid credit card numbers exposed as plain text for anyone with access to the unprotected database to see.
Good thing I was not a thief.
There was little we could do back then to protect data. The levels of security we have today that limit access to personal information did not exist back then. It only took a few years of seeing what happened when disgruntled programmers built ‘back doors’ into software systems to permit themselves surreptitious access to company information that the word ‘trust’ was redefined to mean anything or anyone you could keep on a six foot or shorter leash.
Fast forward to 2010. Software systems have progressed to the point that data is fairly secure behind tons of firewalls and multiple secure access levels that only permit the ‘best of the best of the best’ to access them. I’m working for a health care provider in Los Angeles with 10 million subscribers. As I work my way through the database to familiarize myself with its structure and design, what do I see?
10,000,000 social security numbers in plain view. I went looking for a fire alarm to pull. After I yank myself off the floor, I slump into the office of the head of I.T. and casually inform him of what I have found. By this time in the history of computers, while data breaches were not common, when they did occur, they were spectacular. It only took another year or two before they became common and spectacular.
His reply was as naïve and foolish as I had heard in the then 30 years I had been at this: “All of this is protected HIPPA data. No one would dare break federal law and access the information.”
I did my best imitation of Linda Blair’s head doing a 360 in “The Exorcist” and exited stage left with all haste.
The reason why most companies do not encrypt personal information is quite simple: It dramatically slows down data access. In every database in every company in the entire world, there is one common piece of info. There must be a primary and unique access key for every record stored. There are only two pieces of personal info that are unique: your phone number and social security number. That’s it. Those are the only pieces of data guaranteed to make you instantly identifiable in the whole world.
When you call up a bank or credit card or insurance company, what do they ask for? The last four digits of your SS and your phone number. These are then fed into the software and a look up nearly immediately retrieves your file. The database uses what is called a unique index that stores these two keys together making the search for your particular information easier to obtain. Encrypting the SS to keep it away from prying eyes would render the software useless in quickly retrieving that data because it would need to apply the decryption algorithm on every single record stored to compare the four digits you supplied to the info that matches you uniquely. That would turn the couple of seconds into a couple of hours to sift through the file.
This is why large corporations build fences and moats and castles around their servers to try and protect your data. And there isn’t a fence, moat, or castle that can’t be stormed by an efficient army.
This is why I designed a very sophisticated encryption algorithm in 2006 to protect gambling software. If your personal data is hacked you can get a new credit card and the disputed charges are reversed. I’ve had it occur often enough to me that I no longer bristle (too long) when it happens.
However, if you are gambling online and your money gets stolen, you are plum out of luck. That reservoir of winnings can be converted into someone else’s cold hard cash in under 3-4 seconds. The levels of protection required are manifold. The first thing I did was protect the physical computer from being stolen. When the gaming software is initially stored on the device, I ran a lookup for two very unique pieces of information: the geodata for that business location (its precise latitude and longitude) and the time that the sun rose that day. This information is absolutely unique to the physical location of the server.
I then converted this data into a unique key for that box. That key was then used to unlock the software for access, which in turn unlocks the data therein. If an attempt was made internally to duplicate the hard drive and move it to another location, or if the computer was stolen and taken somewhere else to hack, it would not start at all because it would know the geodata had been altered. That box was now locked to a specific physical area and could not be moved without permission.
To enhance the internal data, I created what is known as a ‘sliding window’ algorithm. This is a very sneaky way of protecting data because the info is constantly morphing into something else, very similar to what was seen in the Bruce Willis movie “Live Free or Die Hard”.
The sliding window I used was the actual length of the words being stored in the file. The length of each word would define the unique key used to encrypt every subsequent word in the record. This made it nearly impossible for someone to search for common and repetitive elements to aid in hacking the data. The code for the unwinding this mess into something readable was stored many stories deep in the computer, in an area of memory that would require so much labor to uncover, that it should drive even the most fervent hacker to cutting off his own hands and eating them before proceeding any further.
This was my gift to the computer world after years and years of watching seemingly sophisticated systems turned into driveling idiots in five minutes or less.
So the next time you wonder if your data is safe; It isn’t, it can’t be, and it never will.